Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Code Injection via Veriexec Bypass in Juniper Junos OS Kernel

IdentifiersCVE-2025-21590CWE-653· Improper Isolation or…

CVE-2025-21590 is an improper isolation or compartmentalization vulnerability in the Juniper Networks Junos OS kernel. According to the provided content, a local attacker with high privileges and shell access can inject arbitrary code into the memory of legitimate processes, bypassing Junos OS Veriexec protections intended to prevent unauthorized binary execution. The issue is explicitly stated to be exploitable from the shell, not from the Junos CLI. Mandiant reporting in the supplied context further associates the flaw with process-memory code injection used to circumvent Veriexec and compromise affected Juniper MX routers. Affected releases include all versions before 21.2R3-S9; 21.4 before 21.4R3-S10; 22.2 before 22.2R3-S6; 22.4 before 22.4R3-S6; 23.2 before 23.2R2-S3; 23.4 before 23.4R2-S4; and 24.2 before 24.2R1-S2 and 24.2R2.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a privileged local attacker to compromise the integrity of the device by executing attacker-controlled code within legitimate process memory. In the supplied context, this capability was used to bypass Veriexec protections, patch or modify running Junos daemons, inhibit logging, and support deployment of persistent backdoors and other post-exploitation tooling. The primary impact is arbitrary code execution on the device with consequent loss of system integrity and facilitation of stealthy persistence and defense evasion.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce opportunities for shell-level access by tightly restricting administrative access paths, auditing and rotating privileged credentials, limiting access to terminal servers and management infrastructure, and monitoring for unauthorized entry into the FreeBSD shell environment. Because the issue is not exploitable from the Junos CLI according to the content, mitigation should focus on preventing privileged shell access and detecting anomalous process-memory modification or integrity-control bypass activity. Specific temporary vendor mitigations beyond patching were not provided in the content.

Remediation

Patch, then assume compromise.

Upgrade Junos OS to a fixed release. The provided content states that affected versions are fixed in 21.2R3-S9 and later; 21.4R3-S10 and later; 22.2R3-S6 and later; 22.4R3-S6 and later; 23.2R2-S3 and later; 23.4R2-S4 and later; and 24.2R1-S2, 24.2R2 and later, as applicable to the deployment. Where compromise is suspected, the supplied context also notes Juniper-recommended updated images and use of the Juniper Malware Removal Tool (JMRT) Quick Scan and Integrity Check after upgrading.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Juniper NetworksJunoshardware

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app
cybersecurity diveNews
Mar 6, 2026
Nearly half of exploited zero-day flaws target enterprise-grade technology | Cybersecurity Dive

An improper isolation flaw affecting Juniper MX routers that was exploited by UNC3886 in a notable 2025 zero-day campaign.

Read more
cso onlineNews
Oct 20, 2025
Network security devices endanger orgs with ’90s era flaws

An arbitrary code execution vulnerability in Juniper MX Series routers.

Read more
zeropath blogNews
Apr 9, 2025
Analyzing CVE-2025-21601: Juniper Junos OS Web Management DoS Vulnerability - ZeroPath Blog | ZeroPath

A previously noted Juniper Junos OS vulnerability referenced only as part of vendor security history; no technical details are provided in the content.

Read more
mitre attack websiteNews
Mar 22, 2023
UNC3886, Group G1048 | MITRE ATT&CK®

A Junos OS vulnerability exploited to bypass Veriexec protections and enable malicious code injection into legitimate processes.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence7

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-21590
NVD
nvd.nist.gov/vuln/detail/CVE-2025-21590
MITRE CWE · CWE-653
Improper Isolation or Compartmentalization
Vendor Advisory
supportportal.juniper.net/JSA93446
Third Party Advisory
cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-21590